Cyber Round-up for 20th March
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cyber experts have discovered a number of attack campaigns exploiting the public’s concerns around COVID-19. Most of the general public are largely focused on the spreading virus at the moment, meaning if they were to receive an email addressing the issue, they would open it without hesitation. Despite these urges, experts are strongly advising people to follow online safety advice; the harm that phishing attacks can cause is amplified during this time as many people are unable to work. The loss of money or sensitive account credentials would only make things worse, so we strongly recommend visiting the NCSC website and reading their guidance on mitigating the risk of online attacks, during these unprecedented times.
A team of security researchers recently bought a German military laptop which was found for sale on eBay for €90. The laptop contained a number of classified documents, including details of the LeFlaSys Ozelot air defence system, which instructs how to destroy the mobile missile system. The files were given the lowest level of classification and the device did not require a password to login; the files however were protected by what was an extremely easy to guess password. A recycling firm from Bingen were responsible for listing the device for sale, and in a recent report from the Defense Ministry, they were also instructed to delete the data. Destroying all data before selling IT devices is a legal requirement that the military did not comply with; this is not the first time something like this has happened. Last year, military laptops were sold by federal authorities at an auction; upon buying four of these laptops, a forest ranger found instructions for the Mars mobile rocket artillery. This is a perfect example of why all users & organisations should remove data from their devices before disposing of them; if military data can be stolen, so can yours.
MageCarts long list of victims continues to grow, and NutriBullet has become its most recent victim. Following the recent removal of the card skimming malware from NutriBullet’s online store, another skimmer was installed just 5 days later. This has been a back and forth battle between security experts and malicious actors, in which the malware is constantly removed and reinstalled; this has been the case for almost a month now, and unless the underlying vulnerabilities within the NutriBullet site are patched, it will continue to happen. As always, we advise proceeding with caution when ordering products online and avoiding any affected sites temporarily while the organisation address the incident.
A malicious Android app has recently surfaced that claims to track local victims of the Coronavirus. Instead the app demands a ransom of $100 in Bitcoin and locks the user out of their device. The user then has 48 hours to pay the attacker or the contents of their device is destroyed. This scheme was discovered by security researchers at DomainTools, who have named the ransomware CovidLock. The app is publicly available from a third-party website and is not on the Google Play store; this limits its capabilities when it comes to infecting Android devices due to users having to visit the site and ignore a number of security warnings. Devices using Android Nougat (Android 7.0) and higher are not affected, provided they have set an unlock password already. If you have been a victim of this ransomware, it is possible to get your data back without paying, as it is not the most advanced malware of its kind; several Reddit users have successfully recovered their data. Please take this as a warning to only download authorised apps from the Google Play store and do not blindly trust third-party providers.
Vulnerabilities & Updates
Trend Micro have been busy over the last week patching some newly surfaced vulnerabilities that have been actively exploited in the wild. One of these is a remote code execution flaw that exists in the migration tool component of Apex One and OfficeScan. The other bug that was addressed is a content validation escape issue, and it allows an authenticated attacker to manipulate components of certain agent clients. Products affected are Worry-Free Business Security, Apex One and OfficeScan. Affected versions can be found under the CVE on the TrendMicro website; we recommend updating as soon as possible to avoid the risk associated with these vulnerabilities.
Adobe have addressed multiple critical vulnerabilities in their most recent out-of-band software updates. These patches apply to flaws existing in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion and Bridge. Their security advisories indicate that 29 of the 41 flaws are marked critical, while the remaining 11 are important. All of the critical vulnerabilities addressed in this patch are memory corruption flaws; we recommend installing the latest version of all of these products to mitigate the risk of an attack.
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Why not follow us on social media using the links provided on the right.
Edition #83 – 20th March 2020
Ironshare – Security Simplified